CVE-2026-23460 Overview
CVE-2026-23460 is a NULL pointer dereference vulnerability in the Linux kernel's ROSE (Radio Amateur Packet Radio) network subsystem. The flaw exists in the rose_transmit_link() function and can be triggered during socket reconnection attempts. This vulnerability was discovered through syzkaller, Google's kernel fuzzing infrastructure, highlighting a missing state validation check in the rose_connect() function.
Critical Impact
Local attackers can trigger a kernel panic through a NULL pointer dereference by initiating a second connect() call on a ROSE socket while the first connection attempt is still in progress, potentially leading to system denial of service.
Affected Products
- Linux Kernel (ROSE network protocol subsystem)
- Systems with ROSE amateur radio protocol enabled
- Linux distributions with CONFIG_ROSE kernel module compiled
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23460 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23460
Vulnerability Analysis
ROSE sockets in the Linux kernel utilize four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. The rose_connect() function properly rejects connection attempts when the socket is in TCP_ESTABLISHED state (returning -EISCONN) and when in TCP_CLOSE with SS_CONNECTING (returning -ECONNREFUSED). However, the function lacks a critical validation check for the TCP_SYN_SENT state.
When rose_connect() is invoked a second time while a connection attempt is already in progress (socket in TCP_SYN_SENT state), the function proceeds to overwrite rose->neighbour via rose_get_neigh(). If this function returns NULL, the socket enters an inconsistent state where rose->state equals ROSE_STATE_1 but rose->neighbour is NULL.
Subsequently, when the socket is closed, rose_release() observes ROSE_STATE_1 and invokes rose_write_internal(), which in turn calls rose_transmit_link(skb, NULL). This call with a NULL neighbour pointer triggers a NULL pointer dereference, resulting in a kernel panic.
Root Cause
The root cause is a missing state validation check in rose_connect() that fails to reject reconnection attempts when a connection is already in progress. According to the connect(2) specification, a second connect() call while a connection is already in progress should return -EALREADY. The fix adds this missing check for the TCP_SYN_SENT state to complete the state validation logic.
Attack Vector
The vulnerability is exploitable locally by a user with access to create ROSE sockets. The attack involves:
- Creating a ROSE socket and initiating a connection attempt (socket enters TCP_SYN_SENT state)
- Immediately calling connect() again before the first connection completes
- If rose_get_neigh() returns NULL during the second call, the socket is left in an inconsistent state
- Closing the socket triggers the NULL pointer dereference in rose_transmit_link()
The vulnerability mechanism involves a race condition in socket state management. When rose_connect() processes a second connection request while the socket is in TCP_SYN_SENT state, it overwrites internal connection state without proper validation. If the neighbor lookup fails, subsequent socket cleanup operations attempt to dereference a NULL pointer, causing a kernel panic. A reproducer demonstrating this issue is available at the syzkaller bug report.
Detection Methods for CVE-2026-23460
Indicators of Compromise
- Kernel panic logs showing NULL pointer dereference in rose_transmit_link() or rose_write_internal()
- System crash dumps referencing the net/rose kernel module
- Unexpected system reboots on systems with ROSE protocol enabled
Detection Strategies
- Monitor kernel logs for oops messages containing rose_transmit_link or rose_connect in the call trace
- Implement system call auditing for connect() calls on AF_ROSE sockets
- Deploy kernel crash dump analysis tools to identify exploitation attempts
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture evidence of exploitation attempts
- Monitor for unusual ROSE socket activity using netlink socket monitoring
- Implement SentinelOne Singularity endpoint protection for real-time kernel-level threat detection
How to Mitigate CVE-2026-23460
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the TCP_SYN_SENT state check in rose_connect()
- Disable the ROSE kernel module if not required for operational purposes using modprobe -r rose
- Apply kernel live patching if available for your distribution to mitigate without reboot
Patch Information
The vulnerability has been fixed in multiple kernel versions through a series of commits that add the missing -EALREADY return check for TCP_SYN_SENT state in rose_connect(). Patches are available at the following kernel git commits:
- Kernel Git Commit 0c3e8bf
- Kernel Git Commit 0c9fb70
- Kernel Git Commit 508f49c
- Kernel Git Commit a122540
- Kernel Git Commit c2ab74c
- Kernel Git Commit e1f0a18
Workarounds
- Blacklist the ROSE kernel module by adding blacklist rose to /etc/modprobe.d/blacklist.conf
- Restrict access to raw sockets and AF_ROSE address family using SELinux or AppArmor policies
- Limit local user access to systems where ROSE protocol is required
# Disable ROSE kernel module temporarily
sudo modprobe -r rose
# Permanently blacklist ROSE module
echo "blacklist rose" | sudo tee /etc/modprobe.d/rose-blacklist.conf
echo "install rose /bin/false" | sudo tee -a /etc/modprobe.d/rose-blacklist.conf
# Verify module is not loaded
lsmod | grep rose
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
